Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 560526 (CVE-2015-5277) - <sys-libs/glibc-2.22: data corruption while reading the NSS files database (CVE-2015-5277)
Summary: <sys-libs/glibc-2.22: data corruption while reading the NSS files database (C...
Status: RESOLVED FIXED
Alias: CVE-2015-5277
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A4 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-15 09:58 UTC by Agostino Sarubbo
Modified: 2017-02-19 12:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-15 09:58:44 UTC
From ${URL} :

It was discovered that the NSS files backend in glibc could corrupt
data while it was read from files such as /etc/passwd or /etc/hosts,
returning incorrect data to the application, potentially disclosing
information or leading to escalation of privilege.

External references:

https://sourceware.org/bugzilla/show_bug.cgi?id=17079

Upstream commit:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=ac60763eac3d43b7234dd21286ad3ec3f17957fc


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2015-10-11 00:12:30 UTC
this is in the glibc 2.22 ebuild already and will be in 2.22-r1 when unmasked
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-07-19 02:52:49 UTC
@toolchain, I doubt this can be cleaned up, but as usual will check with the project.  Can it?  Thanks.
Comment 3 SpanKY gentoo-dev 2016-07-19 14:33:19 UTC
cleanup of glibc/binutils/gcc packages should be left to the toolchain team.  it's not the same as other packages.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-07-20 01:09:46 UTC
(In reply to SpanKY from comment #3)
> cleanup of glibc/binutils/gcc packages should be left to the toolchain team.
> it's not the same as other packages.

Yes, that was the intent of the comment.  Asking if the toolchain team can cleanup the vulnerable ebuilds.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-02-19 12:35:37 UTC
This issue was resolved and addressed in
 GLSA 201702-11 at https://security.gentoo.org/glsa/201702-11
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-02-19 12:39:46 UTC
This issue was resolved and addressed in
 GLSA 201702-11 at https://security.gentoo.org/glsa/201702-11
by GLSA coordinator Thomas Deutschmann (whissi).